Process - Email Pending Investigations
Email Pending Investigations
When Microsoft is not 100% certain when an email is considered Phishing they will NOT ZAP / Soft delete emails automatically and it goes through an approval process to ensure legitimate emails are not deleted automatically.
Cyber Security need to check the Pending Investigations on at least a weekly basis to approve / reject ZAPping / Soft deletion.
Process:
1. Go to 365 Defender Admin Portal (security.microsoft.com)
2. Click on Email & Collaboration -> Investigations
3. Click on Filter
4. Change the following filters:
a. The Date Start Date to at least a week from today
b. Tick the Status – Pending Action
5. Click on Apply
6. From the list of Pending Actions click on the Envelope 
Icon to open the Investigation in another tab.
7. The investigation graph will show all entities and evidence in an image format. You can click on the entities or the Evidence to look deeper.
8. Click on Evidence to show the emails associated with the investigation.
9. Click on the emails in evidence to show further information.
10. Click on the “Open in Explorer” to see the email in Defenders Theat Explorer. Then proceed with the same analysis you would do when checking Phishing/Malicious emails.
11. Go back to the Email Investigation then click on “Pending Actions”
12. Click on each email and then choose one of the following:
a. Approve – This will approve Microsoft’s action to soft delete the True Phishing Emails.
b. Reject – This will reject Microsoft’s action to soft delete due to the emails being False Positives.
13. Repeat steps 6 – 12 till there are no more Pending Actions.
Further reading:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-review-approve-pending-completed-actions?view=o365-worldwide